How I Cracked Trivia Crack

Trivia Crack is a highly popular game for both web and mobile platforms which is somewhat modeled after Trivial Pursuit. It’s the latest craze in social gaming, allowing users to compete against their friends and strangers in answering questions from an array of categories. Though I’ve never been very interested in gaming, my wife has recently become a huge fan of Trivia Crack. After watching her play for a while, I decided to download it and take a closer look into how it was implemented.

I began by monitoring the web API requests made over the network while using the Android app. Very quickly, I noticed something interesting during the game’s operation. It seemed that the app was receiving the category, question, and answer from the Trivia Crack servers before the user even began spinning the “category” wheel.

Below is an example response that the app fetches prior to showing this screen:

JavaScript

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

{

"id":2747994099,

"opponent":{

"id":0,

"alerts_count":0,

"username":"smartplay(tm)"

},

"game_status":"PENDING_APPROVAL",

"language":"EN",

"created":"03/23/2015 08:58:29 EST",

"last_turn":"03/23/2015 08:58:29 EST",

"type":"NORMAL",

"expiration_date":"03/26/2015 08:58:29 EST",

"my_turn":true,

"statistics":{

"player_one_statistics":{

"category_questions":[

{

"category":"GEOGRAPHY",

"correct":1,

"incorrect":0,

"worst":false

}

],

"correct_answers":1,

"incorrect_answers":0,

"challenges_won":0,

"questions_answered":1,

"crowns_won":0

},

"player_two_statistics":{

"correct_answers":0,

"incorrect_answers":0,

"challenges_won":0,

"questions_answered":0,

"crowns_won":0

}

},

"duelGameType":false,

"normalType":true,

"spins_data":{

"spins":[

{

"type":"NORMAL",

"questions":[

{

"question":{

"id":14996887,

"category":"SPORTS",

"text":"Who was the first woman gymnast to score a perfect ten at the Olympics?",

"answers":[

"Nadia Comaneci",

"Mo Huilan",

"Tatiana Gutsu",

"Agnes Keleti"

],

"author":{

"id":71534267,

"name":"Florentina Ionela Gagliano",

"username":"florentina.gagliano",

"facebook_id":"100000030456122",

"facebook_name":"Florentina Ionela Gagliano",

"fb_show_picture":true,

"fb_show_name":true

},

"correct_answer":0,

"media_type":"NORMAL"

},

"powerup_question":{

"id":8534934,

"category":"SPORTS",

"text":"In basketball, what does it mean to \"kiss it off the glass\"?",

"answers":[

"Make both free throws",

"Pass off someone's back",

"Dribble past two people",

"Hit a shot off the backboard"

],

"author":{

"id":41439403,

"name":"tsan.819",

"username":"tsan.819",

"fb_show_picture":false,

"fb_show_name":false

},

"correct_answer":3,

"media_type":"NORMAL"

}

}

]

}

]

},

"available_crowns":[

"SCIENCE",

"ARTS",

"HISTORY",

"ENTERTAINMENT",

"SPORTS",

"GEOGRAPHY"

],

"my_player_number":1,

"available_extra_shots":1,

"player_one":{

"charges":1

},

"player_two":{

"charges":0

},

"round_number":1,

"sub_status":"P1_PLAYING_FIRST_TURN",

"previous_sub_status":"P1_WAITING_FIRST_TURN",

"is_random":true,

"unread_messages":0,

"status_version":1,

"new_achievements":false,

"my_level_data":{

"level":1,

"points":1,

"progress":33,

"goal_points":3,

"level_up":false

}

}

Note the category, question, answer options, and correct answer keys are all included in the response. This means it would be straightforward to identify the answer when asked within the app to cheat the game. While not exactly ethical or fair for gaming use, I thought it would be interesting research.

My initial plan was to reverse engineer the Android app and provide the user with a Toast notification of the answer. I started by decompiling the app and reviewing the source code. I used grep to search the source for some keywords that I hoped would help me track down the questions/answers activity. While searching through some of the potential results, a few lines caught my attention.

Following the code, “ANSWERS_CHEAT” alluded to a hidden cheat mode in the game. Rather than reinvent the wheel, I decided on finding out how it worked. Using grep, I found all references to the “ANSWERS_CHEAT” string and quickly discovered a reference to a hidden menu on the main dashboard activity.

This code appeared to handle setting the cheat mode option, but I still wasn’t able to access the menu itself. Within the same activity, I reviewed the OnCreateOptionsMenu method below:

Java

1

2

3

4

5

6

7

8

9

10

11

publicbooleanonCreateOptionsMenu(Menu menu)

{

if(com.etermax.tools.f.a.a())

{

getMenuInflater().inflate(com.etermax.l.preguntados_debug_menu,menu);

returntrue;

}else

{

returnsuper.onCreateOptionsMenu(menu);

}

}

Most of the cheat mode functionality, including the hidden menu, looked like it depended on the returned value of
com.etermax.tools.f.a.a() . The code for that class is below:

Java

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

publicclassa

{

privatestaticbooleana;

privatestaticStringb;

publicstaticvoida(ApplicationInfo applicationinfo)

{

a=false;

}

publicstaticvoida(Strings)

{

b=s;

}

publicstaticbooleana()

{

returna;

}

publicstaticStringb()

{

returnb;

}

publicstaticbooleanc()

{

returnb!=null;

}

}

This seemed to be the decision point that I was looking for. Changing the assignment
a = false; to
true should’ve enabled the hidden menu. I opened the smali representation of the class and found the assignment of the boolean member.

Java

1

2

3

4

5

6

7

8

9

10

11

12

13

#direct methods

.method publicstatica(Landroid/content/pm/ApplicationInfo;)V

.locals1

.prologue

.line29

const/4v0,0x0

sput-booleanv0,Lcom/etermax/tools/f/a;->a:Z

.line30

return-void

.endmethod

I changed line 29 (snippet line #7 above) to
const/4 v0, 1 , which set the value to true. I then recompiled the app and installed it. The menu button then successfully exposed the hidden options below:

“Answer Cheat” now seemed enabled by default, so I started up a new game to test. As expected, the games now appended a number after the questions, indicating the zero-based index of the correct answer.

Download the patched APK here. Note this is for research purposes only; I am not responsible for any immoral gameplay!

I know you’ve said a particular question and answer is pre-supplied. But if I get the Crown option, then hit Airport mode, TriviaCrack already knows the question and answer for all my available crowns. if that is so, is there a part of the code that checks if it’s a Crown spin THEN checks which are available THEN grabs all the answers before you pick which one you’re going for?

Darnell Royal

Lol so how do I know the right answer?

Clusten

You could start reading the post…

Darnell Royal

Or you could just point me in the right direction considering I read the post and obviously didn’t see it i

MaLaCoiD

After the question, it has a number in parenthesis. 0=A 1=B 2=C and so on.

Darnell Royal

Thanks!!

Darnell Royal

Anyway to get this working on the ad free version. Just wondering since I had already paid for it

Edgar Arroyo

I’d love to give this a try but the new mirror just point to a file with 0 kb, so it never downloads, and the original one I can download and install but it simply doesn’t login using my Facebook account, like I do in the regular one.

James Dean

It seems the cracked app is having a problem signing in through faccebook for me, any reccomendations

olydrh

Same here. Just has the Debug button at top of main screen. But I couldn’t login via Facebook.

Anna Bella

Actually I ran into that also but you can just sign in through the “email address” that you use for FB and it will recgonize it as your FB one and log you in that way. Works great now

olydrh

Gotcha – put in my FB email address and then I got the popup that I’m not connected via FB so I can’t play with friends… hit the connect with FB there and it took me into my current games from before.

David

Use Lucky Patcher + Xposed to disable the check. FB signin works fine.

jashenberner

i downloaded Lucky Patcher and tried removing License Verification but I still cannot link to my Facebook account. Any other ideas on how to sign in with Facebook?

qb

Most likely because the APK is no longer signed/validated. I doubt Facebook lets unregistered apps use their API.

spiros

Hello my friend,

Very nice topic! Fortunately I know php,python,c,c++ etc and I can easily understand Java witch I never study.

I would like very much to ask you though, how to you capture traffic from the android device? I was thinking of using my laptop as “gateway” to the router, capturing packets with wireshark. What do you suggest doing?

-Spiros

John Doezer

Depends whats on your edge. You may be able to capture traffic from a specific IP as it traverses your firewall. You could also plug your WiFi router and your laptop into ports on a switch, and mirror the WiFi router port to the port that the laptop is plugged into.

Matt Street

If you rooted your phone I think you could just put wireshark or tcpdump on it.

Good job Randy. I play this game with my parents and siblings, and have noticed a lot of crazy issues. One of those issues is that you could win all crowns in one round without the other person playing. This has happened on numerous occasions. Example: If you spin and get the crown option, a successful answer gets you a crown but doesn’t count as a successful answer, thus enabling this lopsided scoring.

I also noticed the randomization of the spins being suspect – and your article here explains that. They’re already determining before you spin. Talk about being predestinated… =)

Curious Dev

So I’m curious. Are you not worried about getting into legal trouble with trivia crack? Do you think they would have a case against you for accessing their API via something that isn’t the official client? Do you think you are safe since you aren’t making money? Thanks and good work.

JDM

Or you could actually just, like, you know … learn things. You know, the fun way.

Alejandro Espinoza

Where can i find the code that you found?

Bryan Geerds (GHOSTOFBENCERX)

The numbers aren’t the right answers.

Randy Westergren

Correct. As I wrote in the post, the number represents the zero-based index of the answer.

Saqlain Shajahan

Hi Randy just wondering if you can release a new apk that not only shows the correct answer but also has endless lives. Please help

Thanks

Eli Petrizzi

can you post the most recent update with this code please?

Mathias Schjødt-Pedersen

I for a q. Why aren’t it working any longer

GizmoCodes

Hey, there has been a few major updates that require the app to update, and it says this one isn’t. Think you could update it?